Cross-Site Scripting (“XSS”) can be classified as a “reflected” or “non-persistent” form of attack in web applications. XSS injection is a serious and widespread security issue and is probably the most widespread vulnerability for web applications. But XSS is not the only injection vulnerability that affects web applications. Similar bug patterns can also be found, for instance, in Structured Query Language (“SQL”) injection or remote command injection. All such vulnerabilities can be caused by insecure data flowing from attacker-controlled sources to security-sensitive sinks, such as application programming interface (“API”) sinks. Data tainting (or taint checking) is a programming language feature that flags input data as potentially tainted. A flag may propagate to all data derived from this input. As a result, application code can implement runtime assertions to ensure security critical code is not being called using tainted data. Taint tracking is one approach to detecting and mitigating XSS attacks.
But conventional approaches in taint-tracking only capture data flows either on the server-side or the client-side. This means, only purely server-side or purely client-side flows can be observed. For example, a flow from a server-side source into a client-side sink is invisible to such systems. In addition, existing approaches are prone to false positives and false negative, as they are unable observe data flows from client-side sources to server-side sinks, and vice versa.
Given the fact that modern web applications distribute their application code (e.g., in the form of JavaScript) between client and server, a significant number of potentially vulnerable data flows can be overlooked by conventional solutions.